Skip to main content
SCCMHunter Banner SCCMHunter is a post-exploitation tool built to streamline identifying, profiling, and attacking SCCM-related assets in an Active Directory domain. This comprehensive toolkit provides multiple attack vectors against Microsoft System Center Configuration Manager (SCCM) infrastructure.
SCCMHunter was developed and tested in lab environments. Performance may vary in production networks. Please report issues on GitHub if you encounter problems.

Attack Methodology

SCCMHunter follows a systematic approach to SCCM exploitation:

1. Discovery and Enumeration

The tool queries LDAP through multiple methods to identify SCCM infrastructure:
Checks the DACL for the ‘System Management’ container manually created during AD schema extension
Resolves any published Management Points that clients use for communication
Identifies PXE-enabled Distribution Points using Windows Deployment Services

2. Target Profiling

Once targets are identified, SCCMHunter profiles them using the SMB module:
  • Share Analysis: Checks for default shares required by specific SCCM roles
  • SMB Signing Status: Determines SMB signing configuration for potential relay attacks
  • Service Detection: Identifies MSSQL services and SMS Provider roles
  • Attack Surface Mapping: Builds a comprehensive picture of potential attack paths

3. Exploitation Modules

HTTP Module

Abuse client enrollment processes using techniques from @xpn

MSSQL Module

Leverage MSSQL relay attacks for complete site server takeover (@_mayyhem)

DPAPI Module

Extract Network Access Accounts from compromised SCCM clients

Admin Module

Post-exploitation command and control for lateral movement and persistence

Tool Capabilities

Comprehensive SCCM Assessment

SCCMHunter provides end-to-end capabilities for SCCM security assessment:
  • Automated Discovery: LDAP-based enumeration of SCCM infrastructure
  • Intelligent Profiling: SMB-based service and role identification
  • Multiple Attack Vectors: HTTP, MSSQL, and DPAPI exploitation techniques
  • Post-Exploitation: Administrative access and lateral movement capabilities

Prerequisites

SCCMHunter requires existing network access and should only be used in authorized penetration testing scenarios.
  • Valid Active Directory credentials
  • Network access to target SCCM infrastructure
  • Python 3.x environment
  • Understanding of SCCM architecture and security implications

Next Steps

Getting Started

Installation and initial setup instructions

Enumeration

Begin with LDAP discovery and target identification

Exploitation

Explore available attack vectors and techniques

Post-Exploitation

Administrative access and lateral movement capabilities

Acknowledgments

Thanks to @_Mayyhem for the documentation format inspiration and @xpn for HTTP enumeration techniques.